Guy Harris
changed
bug 10502
| What |
Removed |
Added |
| Summary |
Live capturing bug on rvi0 in MacOS X 10.9.5
|
Capture files from a remote virtual interface on MacOS X 10.9.5 aren't dissected correctly
|
Comment # 2
on bug 10502
from Guy Harris
(In reply to Dima Kovalenko from comment #0)
> Live rvi0 capturing looks broken on MacOS X 10.9.5
No, *dissection* of remote virtual interface captures done on OS X 10.9.5 is
broken no matter *what* OS you try to read it on (OS X 10.9.5, OS X 10.9.4, OS
X 10.6.0, Windows XP, Windows 8.1, Fedora 20, FreeBSD 10.0, you name it).
> (1) plug your iOS device to USB
> (2) create rvi0 interface:
> $ rvictl -s <GUID of your iOS device>
> (3) start Wireshark, select rvi0 and start live capturing
Or just try to read the attached capture.
> As result, all captured packages look like this:
>
> Source=00.00.00
> Dest. = 00.00.00
> Protocol = FC
> Info = Unknown frame (Bogus Fragment)
The bug is that the pktap dissector wasn't paying enough attention to the
length field in the pktap header, so it was assuming that the payload was 108
bytes from the beginning of the packet, so it was assuming, for example, that
the Ethernet or Wi-Fi MAC header began inside the pktap header and dissected
the zero-valued bytes as if they were MAC addresses etc..
> It's quite strange because Wireshark live capture works on other interfaces
> (e.g. wi-fi).
That's because Apple didn't change the radiotap or PPI pseudo-header (as used
on Wi-Fi) and *couldn't* change the Ethernet or Wi-Fi header, so those captures
look the same whether done on 10.9.5 or earlier OSes, but they *did* change the
pktap pseudo-header as used on rvi devices.
> Also, if I use tcpdump to capture rvi0 packages to a file, and
> then open the file with Wireshark, everything looks ok.
That's because OS X's tcpdump doesn't write them out as raw pktap packets, it
writes them out as Wi-FI or Ethernet or... packets in a pcap-ng file.
You are receiving this mail because:
- You are watching all bug changes.
